vRealize Automation

VMware has recently announced the following VMware Certified Advanced Professional exams are due to expire at the end of September 2018. If you are currently studying for one of these exams, you may want to accelerate your study and schedule the exam soon before availability reduces.

In part 1 of this blog post, I demonstrated the impact of configuring vRA Directories Management using IWA in a disjointed namespace. In this blog post, I will now cover the procedure to remediate and recover vRA to an operational state.

The high level steps required to remediate vRA are listed in order below:

Verify you are now able to login to the vRA portal with an Active Directory account.

This concludes the blog post and whilst I appreciate this may be a corner case, hopefully, you have found this information useful. I’m expecting the public VMware documentation to updated for this use case, although, there are not any guarantees.

During a recent vRA 7.3 enterprise deployment at a customer site, I was required to configure vRA Directories Management to support AD user authentication. The customer had the following constraints, which impacted the expected outcome of this configuration.

Non-Windows machines were not allowed to register their DNS A or PTR records in the Active Directory integrated DNS domain.

Active Directory integration must be configured using Integrated Windows Authentication if the product supports IWA and LDAP is not permitted

Computer objects will be pre-staged in the Active Directory domain

vRA appliances and vRA IaaS nodes DNS records were located in different namespaces

This meant we needed to configure an Active Directory IWA to support user authentication using the Directory Management feature however, the AD domain name and DNS zone was a different namespace to the FQDN of the vRA appliances.

In this blog post, I will recreate this use case using the domains below to demonstrate the impact of configuring vRA Directories Management using IWA in a disjointed namespace. I will cover the procedure to remediate the configuration in a part 2.

For further information on disjointed namespaces, please refer to the Microsoft article: Disjoint Namespace

vRealize Automation appliances and vRA IaaS nodes are using an AD domain named testlab.com. All these host are configured as <hostname>.testlab.com and name resolution is provided by AD integrated DNS. The vRA IaaS Windows servers are members of the testlab.com domain.

vRA is required to support user authentication from an Active Directory domain named offprem.cloudtest.com, as such, considering the constraints, vRA Directories Management will be required to use offprem.cloudtest.com as an identity source for synchronisation

Select the primary vRA appliance as the Sync Connector from the dropdown list

Do you want this Connector to also perform authentication? Select the Yes radio button

Select sAMAccountName as the Directory Search Attribute

Enter the name of the AD domain to join and the domain admin credentials.

Enter the Bind User Details in UPN format

Click Save & Next

On the Select the Domains page, select the domains which should be associated with this AD connection.

Click Next

The Directories Management attributes are mapped to the Active Directory attributes. Review and update as required.

Click Next

Select the groups you would like to synchronise from Active Directory

Click Next

Select the users you would like to synchronise from Active Directory

Click Next

Review the page to see how many users and groups will be syncing to the directory.

Click Sync Directory

Symptoms of Configuring Active Directory IWA with a Disjointed Namespace

Configure Directories Management for High Availability

When configuring Directories Management for High Availability, you add the secondary connector to the identity provider, save the settings successfully but the configuration does not remain persistent.

Select Administration > Directories Management > Identity Providers

Click the Add a Connector drop-down list, and select the connector that corresponds to your secondary vRealize Automation appliance.

Enter the appropriate password in the Bind DN and Domain Admin Password fields.

Click Save.

The connector configuration is not saved. This could but just be a UI issue but is an observed symptom I have only witnessed in this use case.

vRA Appliance Hostname

The vRA Appliance hostname in the VAMI network tab has been updated to use the short name.

The hostname of the appliance in the OS has been updated with the FQDN of the IWA AD domain, which in my use case is not resolvable.

vRealize Automation VAMI Cluster

When viewing the vRA Cluster information in the VAMI, the node list is empty.

vRA IaaS Management Agents

The vRealize Automation Management agents config file is updated to the changed FQDN for the vRealize Automation appliance on every vRA IaaS node in the deployment.

The file is located at: <install_path>\VMware\vCAC\Management Agent\VMware.IaaS.Management.Agent.exe.Config

In part 2 of this blog, I will demonstrate how to remediate this use case, and complete the configuration of vRA Directories Management using Active Directory with Integrated Windows Authentication in a disjointed namespace.

Following on from the vRA 7 Enterprise Deployment Part 4, this blog continues the series with the installation of the vRealize Automation Deployment Wizard to complete the Enterprise Deployment vRealize Automation. Since vRA 7.0 release, the vRA deployment wizard was introduced to complete the pre-requisite configuration and automated deployment of the vRA IaaS components. It is initiated by default after the deployment of a vRealize Automation appliance and can be accessed from primary vRA virtual appliance Virtual Appliance Management Interface (VAMI) on port 5480. You will need to logon as the root account and then you are presented with the vRA Deployment Wizard.

Installation Steps using the Installation Wizard

Log in to the first IaaS Web Server host with the domain service account that will be used to perform the installation and will also run the Windows service for the vCAC Management Agent.
Example first Web Server: vratestlab03.testlab.com
Example Domain Service Account: (testlab\svc_vra_iaas01) ensure member of local admins and remote desktop users

Note: You need to perform these steps on the first Windows Server you will use as the primary IaaS Web Server host, ensuring that the server has full network access to all vRealize Automation and IaaS Web, Manager, DEM, and Proxy Agent servers to perform the Management Agent installation.

Click I Understand the Risks, and click Add Exception to accept the certificate.

Click Confirm Security Exception.

Log in using the user name root and the password you specified when you deployed the vRealize Automation appliance.

Click Login.

On the Welcome to the vRealize Automation Wizard page.

Click Next to continue.

On the End User License Agreement page, click I accept the terms of this agreement.

Click Next to continue.

On the Deployment Type page, select the Enterprise deployment option.

Click Next to continue.

Ensure Install Infrastructure as a Service is selected

On the Installation Prerequisites page:

Select one of the appropriate NTP time synchronization options to use among virtual appliances and IaaS servers. For the Virtual Appliance Time Sync. Mode, choose between the Use Host Time or Use Time Server radio button options.

Click Change Time Settings to save the time synchronization method.

Check that the list of IaaS Server host names matches those in the IaaS Management Agent Deployment Information table.

Note: If one of the Windows servers does not appear in the list of IaaS Host Name and does not show it is connected, do not proceed with the installation until the problem is identified and resolved with the IaaS Management Agent. When all Windows servers with IaaS Management Agents report as connected, proceed with the vRealize Automation Installation Wizard.

Click Next.

On the vRealize Appliances page:

Click the green to add the second vRealize Automation Appliance:

Host: Example: vratestlab02.testlab.com

Admin User: root

Password: Enter your root password

Click Next to continue.

Click OK to proceed after the warning for untrusted host message is displayed.

On the Server Roles page, check off the following server roles applicable to the vRealize Automation high availability deployment:

Primary Web (with Model Manager data) Service:

<vratestlab03.testlab.com>

Other Webs:

<vratestlab04.testlab.com>

Manager Service:

<vratestlab05.testlab.com>

<vratestlab06.testlab.com>

DEM & Proxy Agent:

<vratestlab07.testlab.com>

<vratestlab08.testlab.com>

Click Next to continue.

On the Pre-requisite Checker page, click Run.

The prerequisite checker will check for installation prerequisites and display the validation results on the Pre-requisite Checker page.

Wait for the prerequisite checker Status to reflect the validation status by changing from pending to Ok.

After the prerequisites checker validation has completed, verify that the status is reported as OK for all IaaS hosts.

For any IaaS hosts that report prerequisites are not met, click Show Details to expand the view and show the Action required to fix the prerequisites

Click the Hide Details link to collapse the Show Details view.

Click Fix to allow the prerequisites checker to perform any required fixes.

A Loading message will be displayed while the background processes start to fix the reported prerequisite issues.

On the Prerequisites Checker page, wait for the prerequisites checker to complete the fix for each IaaS Host in the IaaS Host Name list.

After the prerequisites checker has completed all fixes to IaaS hosts, the Status column should report OK with all green check marks.

Click Next to continue.

On the next vRealize Automation Host page, enter the vRealize Address that is the DNS Alias or FQDN of the vRealize Automation Load Balancer.

DO NOT CLICK NEXT AT THIS POINT!

You must first create the DNS Alias (CNAME) in DNS (before proceeding) if the initial deployment is not already configured with a load balancer, but you plan to configure the load balancer after the installation is completed.

If, at this point in the deployment a load balancer is introduced, verify that the load balancer VIPs and monitors are configured correctly.

Ensure you have setup your load balancer as per the vRA Load Balancing guide and test resolution of your DNS records.

Navigate to vRA Settings > Cluster and verify the configuration. Expand the Host / Node Name to validate the roles assigned to each node.

Verify all nodes are in a healthy state by checking their Last Connected time from the VAMI of the primary vRA appliance

Ensure the IaaS nodes have a last connected time of less than 30 seconds

Ensure the vRA appliances have a last connected time of less than 10 minutes

Note: The screenshot is from my vRA 7.3 environment

Navigate to vRA Settings > Database and verify the configuration.

Ensure the replication mode is Asynchronous

Check the Connection Status is CONNECTED

Verify the primary vRA appliance is the MASTER node and the secondary vRA appliance is the REPLICA node.

Ensure both Postgres DB nodes have a status of Up

Navigate to Services and confirm all services have a status of REGISTERED.

This concludes part 5 of this vRealize Automation Enterprise installation series and vRealize Automation is now installed. I will continue with the vRA 7 series, where we can now start configuring the post vRA 7 deployment elements.

Following on from the vRA 7 Enterprise Deployment Part 3, this blog continues the series with the installation of the vRealize Automation IaaS management agent on the IaaS nodes.

Since vRA 7.0 release, the vRA deployment wizard was introduced to complete the pre-requisite configuration and automated deployment of the vRA IaaS components. This is a massive improvement over the vRA 6.x procedure and more reliable. Before proceeding with the vRA Deployment Wizard, each vRA IaaS node requires the vRA Management Agent to be installed. Once installed, the host is registered with the primary vRA appliance.

Exception: Java 64-bit is required on the IaaS Web servers and cannot be pushed by the deployment wizard. You must install a supported 64-bit version of Java and add the “JAVA_HOME” system variable on each IaaS Web server you plan to use prior to commencing with the vRA Deployment Wizard.

As per the vRealize Automation Reference Architecture document, vRealize Automation 7 Reference Architecture, as per the Enterprise (previously known as Large) deployment model, you need to prepare 8 Windows Server VMs ensuring you meet the prerequisites for the vRA deployment wizard. This deployment guide assumes you have a Microsoft SQL Server already deployed which can be used to host the vRA IaaS database.

Ensure you adhere to the vRealize Automation Support Matrix and the Interoperability Guides.

Once you have prepared the following, you can continue with the vRealize Automation installation:

8 x Windows Server VMs

Installed a supported version of JRE x64

Configure the JAVA_HOME system variable

Ensure you have a supported Load Balancer configured with only the primary nodes enabled in the LB pools

Created and validated DNS Alias addressed to use for the vRA installation

Note: You need to perform these steps on the first Windows Server you will use as the primary IaaS Web Server host, ensuring that the server has full network access to all vRealize Automation and IaaS Web, Manager, DEM, and Proxy Agent servers to perform the Management Agent installation.

Click I Understand the Risks, and click Add Exception to accept the certificate.

Click Confirm Security Exception.

Log in using the user name root and the password you specified when you deployed the vRealize Automation appliance.

Click Login.

On the Welcome to the vRealize Automation Wizard page.

Click Next to continue.

On the End User License Agreement page, click I accept the terms of this agreement.

Click Next to continue.

On the Deployment Type page, select the Enterprise deployment option.

Click Next to continue.

Ensure Install Infrastructure as a Service is selected

On the Installation Prerequisites page:

Click on the vCAC-IaaSManagmentAgent-Setup.msi hyperlink to begin the download the Management Agent installer.

Click Save File to save the installer to a local folder on the primary IaaS Web Server host where you are performing the Management Agent installation from.

Browse to the local directory where you saved the installer, on the primary IaaS Web Server host.

Right click on the vCAC-IaaSManagementAgent-Setup.msi file and select Install.

When the setup wizard opens, click Next.

On the End-User License Agreement screen of the Management Agent Setup Wizard, check the box I accept the terms of this agreement.

Click Next.

On the Destination Folder screen, select a destination folder by clicking Change, or accept the default installation path.

The following table lists the host name information for the vRA IaaS nodes in my homelab, where the IaaS Management Agent for each IaaS Server component will be installed. You can use this table as a reference to complete the vRealize Automation Management Agent on all of the vRA IaaS Nodes.

IaaS Management Agent Deployment Information

Component

IaaS Management Agent

Required or N/A

Server FQDN

vRealize Automation Appliances

Appliance

(Management Agent N/A)

vratestlab01.testlab.com

vratestlab02.testlab.com

vRealize Automation Websites

IaaS Web Servers

(Management Agents Required)

vratestlab03.testlab.com

vratestlab04.testlab.com

Manager Service and DEM Orchestrator

IaaS Manager Servers

(Management Agents Required)

vratestlab05.testlab.com

vratestlab06.testlab.com

DEM Workers and Agents

IaaS Agent Servers

(Management Agents Required)

vratestlab07.testlab.com

vratestlab08.testlab.com

Microsoft SQL Server 2012

vRealize Automation IaaS Database

(Management Agent N/A)

sqltestlab01.testlab.com

This concludes part 4 of this vRealize Automation Enterprise installation series. I will continue with the vRA 7 deployment in part 5 of this series, where we can now start deploying vRA using the Deployment Wizard.

vRealize Automation Appliance Deployment Verification

Verify the Deployment of the First vRealize Automation Appliance

Go to the vRealize Automation appliance management console by opening a connection using its FQDN: https://vratestlab01.testlab.com:5480/

Accept the certificate by clicking I Understand the Risks and then clicking Add Exception.

Click Confirm Security Exception.

Log in with the user name root and the password you specified when deploying the vRealize Automation appliance.

The vRealize Automation Installation Wizard is displayed.

Caution – Stop Here and Do NOT Click Next. Verify that all other vRealize Automation appliances have been deployed and are running before proceeding to the next step

Do not cancel or exit out of the wizard at any time. If you exit the wizard, the tool assumes that you will be going through a manual installation and will not let you restart the wizard. Leave this page open and continue on to the next section.

Verify the Deployment of the Second vRealize Automation Appliance

Go to the vRealize Automation appliance management console by opening a connection using its FQDN. For example: https://vratestlab02.testlab.com:5480/

Accept the certificate exception by clicking I Understand the Risks, and clicking Add Exception.

Click Confirm Security Exception.

Log in using the user name root and the password you specified when deploying the vRealize Automation appliance.

The vRealize Automation Installation Wizard is displayed.

Caution – Stop Here and Do NOT Click Next. Verify that all other vRealize Automation appliances have been deployed and are running before proceeding to the next step

Do not cancel or exit out of the wizard at any time. If you exit the wizard, the tool assumes that you will be going through a manual installation and will not let you restart the wizard. Leave this page open and continue on to the next section.

I will continue with the vRA 7 deployment in part 4 of this series, where we can now start deploying the vRA IaaS nodes.

Following on from vRA 7 Enterprise Deployment Part 1, this blog continues the series with some further planning and preparation before starting with the initial vRA Appliances deployment.

Generating Certificates

A production, distributed vRealize Automation deployment utilises Certificate Authority (CA) signed security certificates as each component communicates exclusively over SSL. While it is possible to import self-signed certificates on necessary components, this is not recommended in a production environment.

In my home lab, I have installed a Microsoft Certificate Authority. I followed this blog article to setup my Microsoft CA:

Creating and Publishing a Certificate Template

Referencing the KB article, I created the certificate template using the following steps.

Open the MMC console for Certificate Templates:

Click File and select Add/Remove Snap-in

Select Certificate Templates in Available Snap-Ins and click Add

Click OK

From the right pane, right-click Web Server template

Click Duplicate Template

In the Properties of New Template dialog box:

Click the General tab

Type the name of the template in Template name text box

In the Properties of New Template dialog box:

Click the Subject Name tab

Select the Supply in the request radio button

In the Properties of New Template dialog box:

Click the Security tab

Assign Full Control privileges to the domain administrator

Assign Full Control privileges to the computer issuing this certificate

Click OK

Open the MMC console for Certification Authority for the domain:

Right-click Certificate Templates

Select New > Certificate Template to Issue

In the Enable Certificate Templates dialog box:

Select the certificate created in the above steps

Click OK

Now the certificate template is published and ready to use. The table below details the certificates which are required for an enterprise large deployment with HA using embedded vRO instances.

vRealize Automation Certificate Requirements for High Availability

Certificate Common Name

Application Role

Encoding Needed

vra-portal.testlab.com

vRealize Automation Appliances

PEM and unencrypted key

vra-web.testlab.com

IaaS Web Servers

PKCS12

vra-mgr.testlab.com

IaaS Manager Services

PKCS12

Generating SSL Certificates

Now we will create the PKCS12 formatted certificates for the vRA IaaS Windows components and the PEM encoded certificate for the vRA appliances. You will need a machine with OpenSSL installed to generate the Certificate Signing Requests and format conversions plus access to the Certificate Services server to generate the signed certificates. The process shown below uses a Microsoft Active Directory Certificate Services.

Prepare for certificate generation using the following procedure:

Install OpenSSL on the machine where you will generate the certificates.

Create a base folder (D:\Certs in this example) with separate sub-folders for each vRealize Automation component.

Within the base folder, create three subfolders named as follows:

vrava

IaaSWeb

IaaSMgr

Log in to the Microsoft Certificate Authority web interface, for example: